Microsoft Entra ID MACE Credential Revocation Tool Triggers Mass Account Lockouts
How Microsoft is addressing the lockout issue and steps administrators can take to resolve it.
Published: Apr 21, 2025
Key Takeaways:
- A newly deployed MACE Credential Revocation app in Microsoft Entra ID mistakenly flagged users as high risk.
- This issue caused widespread account lockouts.
- Microsoft attributed the issue to internal token logging errors .
Last week, administrators across numerous organizations were blindsided by widespread account lockouts. This issue was caused by Microsoft’s newly launched MACE Credential Revocation app in Entra ID, which mistakenly flagged legitimate users as high risk.
The MACE app in Microsoft Entra ID (formerly known as Azure Active Directory) is called MACE Credential Revocation. Microsoft recently released this app to enhance security by revoking credentials that are suspected to be compromised. It checks if the user’s password hashes appear on the dark web or other sources and flags those users as high risk.
How were the lockouts triggered by false positives?
In a Reddit thread, Windows administrators reported receiving multiple alerts from Microsoft Entra ID. The alerts warned that certain user credentials had been found on the dark web or other suspicious sources. These accounts were automatically locked out of their tenants, which affected many users across various organizations.
Interestingly, even users who use passwordless authentication methods were affected by the account lockouts. This suggests that the issue is likely due to false positives, since their credentials shouldn’t be vulnerable to typical password breaches.
Steps for administrators to resolve Microsoft Entra ID account lockouts
According to Microsoft, this issue was caused by a new MACE Credential Revocation app that rolled out over the weekend. Several administrators reported that this app was automatically installed in Microsoft Entra ID. This installation occurred just before users were flagged as high risk due to suspected credential leaks.
“On Friday 4/18/25, Microsoft identified that it was internally logging a subset of short-lived user refresh tokens for a small percentage of users, whereas our standard logging process is to only log metadata about such tokens. The internal logging issue was immediately corrected, and the team performed a procedure to invalidate these tokens to protect customers. As part of the invalidation process, we inadvertently generated alerts in Entra ID Protection indicating the user’s credentials may have been compromised. These alerts were sent between 4/20/25 4AM UTC and 4/20/25 9AM UTC,” the Microsoft support team explained.
Administrators can restore access by marking affected users as safe in Microsoft Entra ID. It’s recommended to check the “Risk last updated” timestamp and only mark accounts impacted by this specific issue. Moreover, Windows admins can mitigate the problem by resetting the affected users’ passwords.